Hacking the Hacker

How We Cracked the Code on DirCrypt Ransomware

Ransomware has become a top computer security threat over the past few years, with a rapid evolution of variants and techniques. It is perhaps the most purely ‘evil’ form of malware in that it uses scare tactics to apply psychological pressure on the victim.

Victims Don’t Know What to Do – Except Pay the Ransom

In a typical ransomware attack, cybercriminals block access to a user’s computer completely or encrypt files so the user can’t access them. Just like a kidnapper, the cybercriminal then demands that the user pay a ransom to regain control of their PC and data. Typically, payment must be made through Bitcoin, MoneyPak or other hard-to-track financial transaction systems.

Ransomware is spreading quickly because it can be so effective and profitable. The average computer user has no idea how to deal with such an attack, other than to pay the ransom. The more frequently ransoms are paid, however, the more incentive there is for malware authors and operators to launch new ransomware attacks.

In our efforts to fight this increasingly common attack, Check Point malware researchers recently discovered vulnerabilities in DirCrypt, a form of ransomware that’s becoming increasingly widespread. DirCrypt sweeps through a user’s computer files, targeting documents, images and archive files. The suffix of the affected files is changed to ‘.enc.rtf’.

A DirCrypt victim doesn’t realize the attack has happened until after the damage is done. Upon clicking one of the affected files, the user will find no trace of its original contents. Instead, an RTF document opens with instructions on how to pay the ransom.

However, from our research, we found that the damage wrought by this malware can be reversed.

Getting User Data Back – Without Paying the Ransom

Given the challenges continually faced with ransomware, how is it effectively countered?

One solution is to find a way for victims to get their data back without paying a ransom. And with that solution in mind, we set out to look for DirCrypt’s Achilles heel. While it took a bit of sleuthing, we were able to unravel DirCrypt’s mischief, and have outlined the steps to remediation in our downloadable white paper, “Hacking the Hacker.”

Briefly stated, through investigation we identified two separate file encryption functions and determined how to exploit their weakness and restore a majority of the encrypted files—no ransom payment required. Our goal was to show that ransomware attacks can be reversible, and we achieved that.

There’s almost always a weakness to exploit for the benefit of the defender. In this case, we found that the malware creators failed to implement cryptographic components correctly. It’s important to remember that cybercriminals are human, too. They make mistakes and get lazy like anyone else. And when they do, the security industry will be there to catch them.